Something smelled fishy

Iceland’s home delivery service exposed sensitive customer information for months until the problem was plugged this week, a UK security researcher discovered.

Paul Moore went public with his findings after failing to get the retailer to act even 12 months after first reporting the issue. Public disclosure finally prompted action from Iceland where private reminders had failed, he said. The flaws were resolved shortly after Moore went public on Wednesday.

The issue revolved around home delivery confirmation sheets and an associated Iceland-run website. When customers placed an order with Iceland for delivery, the driver handed them this sheet... which customers had to sign to accept delivery.

Moore noticed to his consternation that this sheet contained all other customer names, addresses and telephone numbers on that delivery route.

That was bad enough, however there was also an IP address at the top right of the sheet (http://54.75.255.8) and this led to an insecure site.

“This is the login portal for Iceland's scheduling system. It requires a username & password. However, clicking the ? tells you the password is the 4 digit store number (on the sheet they hand you!),” Moore said.

Iceland home delivery site [source: Paul Moore]

All someone would have needed at this point to access sensitive data on the site was a username but this too could be guessed, Moore explained.

“A quick look at the source code reveals a now defunct ‘secret question’ feature. It also has this line... "store_number : $('#id_username').val()" ... suggesting the username should be the store number too. Amazingly, entering both "0287" as both username & password logs you straight in, providing access to everything.”

Nasty.

Fortunately the security vulnerability was plugged hours after it went public.

Iceland told Moore that it had applied a fix so external users couldn't access the site any more (it is IP-limited now). The UK supermarket, which specialises in frozen goods, is also said to be working on changing the way its ePOS system works across the stores too, so they'll no longer need delivery sheets.

In response to queries from El Reg, Iceland sent a statement acknowledging the now resolved issue and thanking Moore for bringing the problem to its attention.

We are confident that only a limited amount of data, and a limited number of stores, were affected and we implemented the necessary changes as soon as we were made aware of the issue yesterday [Wednesday] morning.

The privacy of our customers is of great importance to us and we will continue to do our utmost to ensure that this is properly protected.

Moore credited Iceland for acting quickly after he went public while faulting the retailer for not acting on private reports of problems despite repeated reminders on his part sent through multiple channels of communication. Even flagging up the issue to data privacy watchdogs at the ICO failed to move things along. ®